Analysis

  • max time kernel
    4294183s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    21/03/2022, 20:22

General

  • Target

    SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe

  • Size

    7.7MB

  • MD5

    7bf3a72a5287c6388cda810822c894a3

  • SHA1

    4c23e414457d18ceee367a19afbe0c51588c3df0

  • SHA256

    7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476

  • SHA512

    014fa7d7ead618cdbead06ec8658b7c41baba40d1954358065b28f0eab824028a4b34263d187ed332a0e40b5e6bba64b027bf6cfadf638b0924ae96aba00d9c9

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C erase %temp% /f /s /q
        3⤵
          PID:1600
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "Win32WebViewHost.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 1
            4⤵
              PID:608

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1876-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

              Filesize

              8KB

            • memory/2004-58-0x000000003F2C0000-0x000000003F2CE000-memory.dmp

              Filesize

              56KB

            • memory/2004-61-0x000007FEF4F80000-0x000007FEF596C000-memory.dmp

              Filesize

              9.9MB